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Executive summary 


Background & Scope 


Under section 123(1) of the Data Protection Act 2018 (DPA18), the Information Commissioner produced a code of 
practice on standards of age appropriate design ("the Code"). The Code applies to "relevant information society 
services which are likely to be accessed by children" in the UK. This includes many apps, programs, connected 
toys and devices, search engines, social media platforms, streaming services, online games, news or educational 
websites and websites offering other goods or services to users over the internet. It is not restricted to services 
specifically directed at children. 


The Code sets out 15 headline standards of age appropriate design that companies need to implement to ensure 
their services appropriately safeguard children's personal data and process children's personal data fairly. The 
Code came into force on 2 September 2021. 


More widely, the Information Commissioner is also responsible for enforcing and promoting compliance with the 
UK General Data Protection Regulation (UKGDPR), the Data Protection Act 2018 (DPA18) and other data protection 
legislation. Section 129 of the DPA18 allows the ICO to carry out consensual audits. The ICO sees auditing as a 
constructive process with real benefits for controllers and so aims to establish a participative approach. 


Yoti agreed to a consensual audit of the measures, processes and policies they have in place to demonstrate 
conformance with the Code and data protection legislation. 


The purpose of the audit is to provide the ICO and Yoti with an independent assurance of the extent to which Yoti, 
within the scope of this agreed audit, is complying with data protection legislation. 


The scope areas covered by this audit are determined following a risk-based analysis of Yoti's processing of 
children's personal data. The scope may take into account any data protection issues or risks which are specific to 
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Yoti, identified from ICO intelligence or Yoti's own concerns, and/or any data protection issues or risks which affect 
their specific sector or organisations more widely. The ICO has further tailored the controls covered in each scope 
area to take into account the organisational structure of Yoti, the nature and extent of Yoti's processing of 
children's personal data, and to avoid duplication across scope areas. As such, the scope of this audit is unique to 
Yoti. 


It was agreed that the audit would focus on the following area(s): 


e Governance and Accountability 

e Data Protection Impact Assessments 

e Transparency 

e Children's Rights Implementation 

e Due Diligence 

e Artificial Intelligence 

e Data Minimisation 

e Data Sharing 

e Default Privacy Settings 

e Change Management 

Audits are conducted following the Information Commissioner's audit methodology. The key elements of this are 
normally a desk-based review of selected policies and procedures, on-site visits including interviews with selected 
staff, and an inspection of selected records. 


However, due to the outbreak of Covid -19, and the resulting restrictions on travel, this methodology was no 
longer appropriate. Therefore, Yoti agreed to conduct the audit on a remote basis. A desk-based review of selected 
policies and procedures and remote telephone interviews were conducted from 1 November to 12 November 2021. 
The ICO would like to thank Yoti for its flexibility and commitment to the audit during difficult and challenging 
circumstances. 


Where weaknesses were identified recommendations have been made, primarily around enhancing existing 
processes to facilitate conformance with the Code and data protection legislation. In order to assist Yoti in 
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implementing the recommendations each has been assigned a priority rating based upon the risks to children that 
they are intended to address. The ratings are assigned based upon the ICO's assessment of the risks involved. 
Yoti's priorities and risk appetite may vary and, therefore, they should undertake their own assessments of the 
risks identified. 


Overview of Service and Processing 


Yoti is a global digital identity and biometric technology company which was founded in 2014, Yoti has over 300 
staff and is headquartered in London with offices in Bangalore. Yoti provides verified digital ID through the Yoti 
app. 

The Yoti app is a global identity platform which aims to create a safer way for individual consumers to prove who 
they are by providing a reusable digital ID on their smart phone. The app is free to individual consumers and, to 
date, has been downloaded over 10 million times globally. 


Yoti's identity platform offers business users a simple and reliable way to confirm a service users' identity and 
other data such as age or nationality. Over 12 thousand companies and stores use Yoti's product to verify 
identities. 


The Yoti app can be used by anyone 13 or over in the United Kingdom which means that Yoti provide an online 
service which can be accessed by children and as such should adhere to the principles laid out in the Age 
Appropriate Design Code. 


Yoti has seven ethical principles, including the requirements to enable privacy and anonymity, and keep sensitive 
data secure which guide their decision making and an independent Guardian Council, made up of influential 


individuals from relevant fields, whose purpose is to ensure Yoti remains true to the principles. 


In order to create an account to build a digital identity with the Yoti app users need to provide personal data in the 
form of the country they live in, whether they are 13 or over, provide a mobile number and allow the app to take a 
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scan of the users face. Once an account İS created users can choose to upload scans of identity documents such as 
passports and driving licenses. Once the account has been created and any documents provided have been 
verified the data is encrypted on Yoti's servers in such a way that only the user can then access this data, Yoti are 


unable to access the data. 


When a business wants to verify a Yoti app users’ data they will request verification of the data they need to 
provide their service, for example proof of age. If the app user has previously had their age verified the user's app 
will ask the user if they are happy to share this information with the requester, the user will then actively confirm 
they are happy for this information to be shared with the business in question, once the user has confirmed this 
the app with generate a QR code for the business to scan to receive confirmation of the user's age. 


Audit Summary 


Assurance 


Rating Overall Opinion 


There is a high level of assurance that processes and procedures are in place, that the 
organisation is in conformance with the AADC and are delivering data protection 
compliance. The audit has identified only limited scope for improvement in existing 
arrangements and as such it is not anticipated that significant further action is required 
to reduce the risk of non-conformance with AADC and data protection legislation. 
*The assurance ratings above are reflective of the remote audit methodology deployed at this time and the rating may not necessarily represent a comprehensive 

assessment of compliance. 
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Graphs and Charts 
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Good Practice 


Yoti have carried out usability testing with children from diverse backgrounds on the functionality of the Yoti app, 
this included the accessibility of the privacy information within the app. The aims of the testing were centred 
around the standards of the code, including best interests of the child and transparency. As a result, Yoti have 
made a number of changes to the presentation of privacy information, utilising just-in-time notices, and explaining 
complex terms using images. Yoti have plans to continue to conduct usability testing with children as part of their 
compliance with the Code and UK GDPR transparency requirements. 


Key Feedback Actioned 


The audit highlighted the need for Yoti to review the App biometric consent screen during the app registration 
process, because from a Children's Code perspective this may have been unclear for younger users. Since 
receiving this feedback Yoti acted swiftly to redesign their registration process to clearly differentiate between the 
consent requested for processing biometric data within the app and the information they provide in relation to 
their research and development data processing (for which Yoti rely on legitimate interests). 


Yoti also acted swiftly to update their privacy notice following audit feedback to include information for data 
subjects on the transfer to on the transfer to and processing of personal data outside of their UK based security 
centres. Occasionally Yoti will share information with their security centre that is based in India for further checks. 


Yoti Age Appropriate Design Report — December 2021 


